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There had been well known claims of "provably unbreakable" quantum protocols for bit commit- 
ment and coin tossing. However, we, and independently Mayers, showed that all proposed quantum 
bit commitment (and therefore coin tossing) schemes are, in principle, insecure because the sender, 
Alice, can always cheat successfully by using an EPR-type of attack and delaying her measurements. 
One might wonder if secure quantum bit commitment and coin tossing protocols exist at all. Here 
we prove that an EPR-type of attack by Alice will, in principle, break any realistic quantum bit 
commitment and idea] coin tossing scheme. Therefore, provided that Alice has a quantum computer 
and is capable of storing quantum signals for an arbitrary length of time, all those schemes are 
insecure. Since bit commitment and coin tossing are useful primitives for building up more sophis- 
ticated protocols such as zero-knowledge proofs, our results cast very serious doubt on the security 
of quantum cryptography in the so-called "post-cold-war" applications. 



1 Introduction 

Quantum cryptography was first proposed by Wiesner 
pl| more than two decades ago in a paper that remained 
unpublished until 1983. Recently, there have been lots of 
renewed activities in the subject. The most well-known 
application of quantum cryptography is key distribution 
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The aim of key distribution is to allow two 
users to generate a shared random string of informa- 
tion that can, for example, be used to make their mes- 
sages in subsequent communication totally unintelligible 
to an eavesdropper. Quantum key distribution is secure 
H H [H| because, it is impossible (for an eaves- 
dropper) to make copies (or clones) of non-orthogonal 
states in quantum mechanics without violating unitar- 
ity. Moreover, measuring a quantum system generally 
disturbs it because quantum mechanical observables can 
be non-commuting. For this reason, eavesdropping an a 
quantum communication channel will generally leave un- 
avoidable disturbance in the transmitted signal which can 
be detected by the legitimate users. 

In addition to key distribution, the so-called "post-cold- 
war" applications of quantum cryptography have also 
been proposed M g, || 0, |[. A typical problem in 
"post-cold-war" quantum cryptography is the two-party 
secure computation, in which both parties would like to 
know the result of a computation but neither side wishes 
to reveal its own data. For example, two firms will embark 
on a joint venture if and only if their combined capital 
available for the project is larger than one million dol- 
lars. They would like to know if this condition is fulfilled 
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but neither wishes to reveal the exact amount of capital 
it commits to the project. In classical cryptography, this 
can be done either through trusted intermediaries or by 
invoking some unproven cryptographic assumptions such 
as the hardness of factoring. The big question is whether 
quantum cryptography can get rid of those requirements 
and achieve the same goal using the laws of physics alone. 

This paper relates to those post-cold-war applications 
of quantum cryptography. Until recently, there had been 
much optimism in the subject. Various protocols for say 
bit commitment, coin tossing and oblivious transfer of 
quantum cryptography had been proposed [|], ||, ||, ||, @, |§| ■ 
In particular, the BCJL Q bit commitment scheme had 
been claimed to be provably unbreakable. However, in our 
recent paper JlTj], we showed that all proposed quantum 
bit commitment schemes are insecure because the sender, 
Alice, can always cheat successfully by using an EPR-type 
of attack and delaying her measurement until she opens 
her commitment. (The insecurity of the BCJL scheme 
was also investigated by Mayers |T^] from an information- 
theoretic point of view.) Our result put the security of 
post-cold-war quantum cryptographic systems in serious 
doubt because bit commitment is a crucial primitive in 
building up more sophisticated protocols. In particular, 
it has been shown by Yao |2^| that a secure quantum 
bit commitment scheme can be used to implement a se- 
cure quantum oblivious transfer scheme whereas Kilian 
fl5f has shown that, in classical cryptography, oblivious 
transfer can be used to implement many protocols such 
as oblivious circuit evaluation, which is a close cousin of 
secure two-party computation. This chain of arguments, 
therefore, seems to suggest that quantum bit commitment 
alone is sufficient for implementing secure two-party com- 
putation or its close cousin. However, without quantum 
bit commitment, it is not clear if secure two-party com- 



1 



putation can be achieved through quantum means at all. 

While we showed in our previous paper (l7[ the insecu- 
rity of all proposed quantum bit commitment schemes, an 
important fundamental question that we left unanswered 
was whether any secure quantum bit commitment scheme 
exists at all. Here we show that, provided that a cheater 
has a quantum computer and is capable of storing quan- 
tum signals for an arbitrary length of time, quantum bit 
commitment and ideal quantum coin tossing are impos- 
sible: All such protocols are necessarily insecure against 
an EPR-type of attack by at least one of the users. In 
our opinion, our highly disruptive results can be taken 
as a strong indication that, despite widespread early op- 
timism, realistic post-cold-war applications of quantum 
cryptography simply do not exist. We acknowledge the 
receipt of a preprint of Dominic Mayers about the impossi- 
bility of quantum bit commitment. This preprint contains 
the essential result and approach to bit commitment that 
we present here except that, in our opinion, it does not 
define in sufficient detail the general model that it uses for 
quantum protocols and therefore the model is too vague. 
To answer the question in a more satisfactory manner and 
to make the discussion more precise, we strongly felt the 
need to use a variant of the Yao's model. Besides, our 
discussion on ideal quantum coin tossing makes essential 
use of such a concrete model. 



2 Quantum bit commitment 

A general bit commitment scheme involves two parties, 
a sender Alice and a receiver, Bob. Suppose that Alice 
has a bit [b = or 1) in mind, to which she would like 
to be committed towards Bob. That is to say, she wishes 
to provide Bob with a piece of evidence that she has a 
bit in mind and that she cannot change it. Meanwhile, 
Bob should not be able to tell from that evidence what b 
is. At a later time, however, it must be possible for Alice 
to open the commitment. That is, Alice must be able to 
show Bob which bit she has committed to and convinced 
him that this is indeed the genuine bit that she had in 
mind when she committed. [] 

What constitutes to a cheating by Alice? If Alice com- 
mits to a particular value of b (e.g., 6 = 0) during the 
commitment phase and attempts to change it to another 
value (e.g., b = 1) during the opening phase, Alice is 
cheating. A bit commitment scheme is secure against Al- 
ice only if such a fake commitment will be discovered by 
Bob. In this section, we show that, contrary to popu- 
lar belief, all quantum bit commitment schemes are, in 
principle, insecure against a cheating Alice. 

X A bit commitment scheme is useful for say implementing a coin 
tossing scheme. See footnote 5 below. 



2.1 Model of two-party quantum proto- 
cols 

Quantum bit commitment and coin tossing are examples 
of two-party quantum protocols. A two-party quantum 
protocol involves a pair of quantum machines in the hands 
of two users, A (Alice) and B (Bob) respectively, which 
interact with each other through a quantum channel, C . 
More formally, we consider the direct product H of the 
three Hilbert spaces Ha, Hb and He where Ha (Hb) 
is the Hilbert space of Alice's (Bob's) machine and He is 
the Hilbert space of the channel. We assume that initially 
each machine is in some specified pure quantum state. A 
and B then engage in a number of rounds of quantum 
communication with each other through the channel C. 
More concretely, A and B alternately performs a unitary 
transformation on Hd <8> He where D 6 {^4, B}. 

The above model is a simplification of a model proposed 
by Yao |22j . Although Yao apparently did not emphasize 
the generality of his model, it appears to us that any re- 
alistic two-party computation can be described by Yao's 
model. For instance, since Alice and Bob are separated by 
a long distance, it is impractical to demand simultaneous 
two-way communications between them. The idea of al- 
ternate rounds of one-way communications in Yao's model 
is, therefore, reasonable. However, there are two signif- 
icant distinctions between Yao's model and ours. First, 
Yao's model deals with mixed initial states whereas we 
assume that the initial state of each machine is pure. Sec- 
ond, in Yao's model, the user D does two things in each 
round of the communication: D carries out a measure- 
ment on the current mixed state of the portion of the 
space, Ho <S> He, in his/her control and then performs a 
unitary transformation on Hd (g> He- In our model, the 
measurement step has been eliminated. 

Nevertheless, we would like to argue that there is no 
loss in generality and that our model still gives the most 
general procedure of a two-party quantum protocol. Let 
us consider the first distinction. In assuming that the 
initial state of each machine is pure, we are just giving 
the users complete control over the initial states of the 
machines. Any situation with mixed initial state can be 
included in our consideration simply by attaching a quan- 
tum dice to a machine and considering the pure state as 
describing the combined state of the two. 

What about the second distinction? We make the sim- 
ple but crucial observation that one can avoid dealing with 
the collapse of a wavefunction associated with a measure- 
ment altogether. The point is, that, in principle, D has 
the option of adding an ancilla to his/her quantum ma- 
chine and using a reversible unitary operation to replace 
a measurement. D can then read off the state of his/her 
ancilla only at the very end of the protocol. Put it another 
way: Alice and Bob are assumed to be in possession of 
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quantum computers and quantum storage devices. Note 
that our model is general enough to incorporate any clas- 
sical computation and communications: An algorithm on 
classical computers can clearly be simulated by quantum 
computers. It cannot be overemphasized that this uni- 
tary description leads to no loss in generality and indeed 
any two-party quantum protocol can be described by our 
model. (See C3| and, in particular, the Appendix B of 
the revised version of |ll| for related discussions. )^ Such 
a unitary description will greatly simplify our discussion. 

Of course, the faithful execution of most quantum bit 
commitment protocols do not require the users to possess 
quantum computers. We use a unitary description merely 
to simplify our discussions. The point is the following: If 
a cheater can cheat successfully against an honest party 
who has a quantum computer (and quantum storage de- 
vices), clearly he/she can also cheat successfully against 
one who does not have a quantum computer (nor quan- 
tum storage devices). This is because an honest party 
without a quantum computer can be regarded as a spe- 
cial case of one who has a quantum computer but fails to 
make full use of it. 

2.2 Procedure of quantum bit commit- 
ment 

Granting the possession of quantum computers and quan- 
tum storage devices by Alice, the most general proce- 
dure for an ideal quantum bit commitment scheme can 
be rephrased in the following manner. 

(a) Preparation of states: Alice chooses the value of 
a bit b to which she would like to be committed towards 
Bob. If b — (respectively 6=1), she prepares a state |0) 
(respectively |1)) for Ha- The two states |0) and |1) are 
orthogonal to each other. Bob prepares a state \Bq) ® \Cq) 
for the product Hilbert space Hg ® Hq- All the states 
|0), |1) and \Bq) ® \Cq) are specified by the protocol and 
are known to both Alice and Bob. 

(b) The actual commitment: Step (b) involves a speci- 
fied and fixed number of rounds of quantum communica- 
tion alternately between Alice and Bob. As noted above, 
each round of quantum communication can be modeled 
as a unitary transformation on Hd <S> He (D G {A, B}), 
which in turn induces a unitary transformation on the 
space H — Ha <8> Hb ® He- 

Notice that for an ideal bit commitment, it must be 
the case that, at the end of step (b), Bob still has abso- 
lutely no information about the value of the committed 
bit b. (We will relax this assumption when we come to the 
non- ideal case in the next subsection.) Now that the com- 

2 We thank L. Goldenberg and D. Mayers for a discussion on the 
generality of Yao's model. 



mitment has been made, both sides may wait an arbitrary 
length of time until the last step: 

(c) Opening of the commitment: A specified and fixed 
number of rounds of quantum communication alternately 
between Alice and Bob are again involved. As in step 
(b) , we model each round of quantum communication as 
a unitary transformation on Hd ® He (D 6 {A, B}), 
which in turn induces a unitary transformation on the 
space H = Ha <8 Hb ® He- 

In a secure bit commitment scheme, Bob will learn the 
value of b and be convinced that Alice has already com- 
mitted to that value of b at the end of step (b) and cannot 
change it anymore in step (c). 

However, we show that the above general scheme neces- 
sarily fails because Alice can always cheat successfully by 
using reversible unitary operations in step (b) and subse- 
quently rotating a state that corresponds to b = to one 
that corresponds to b = 1 and vice versa in the beginning 
of step (c). Note that Alice's ability of cheating lies on 
her capability of storing coherent quantum signals for a 
long period of time (until the beginning of step (c)). 

Let us justify our claim. Consider more closely the 
situation at the end of step (b), the commitment phase. 
Let |0) com and |l) CO m denote the state of H = Ha®Hb® 
He at that time corresponding to the two possible values 
of b respectively. In order that Alice and Bob can follow 
the procedures, they must know the exact forms of all the 
unitary transformations involved.^] Therefore, Alice must 
be capable of computing the two states |0) com and |l) C om- 
Since the channel will sit idle for a long while, its state has 
to be trivial. We may, therefore, assume that the channel 
C is in a prescribed pure state \u)c at the end of step (b). 
Moreover, the fact that Bob has absolutely no information 
about the value of b implies that the density matrix in his 
hand is independent of the value of b. That is to say that 
Tr^ (|0)com(0|com) = Ti'a ( 1 1) com (1 |com) • But then |0) com 
and |l) C om of H must have the same Schmidt polar form 
(See for example, the Appendix of [|l3].), namely: 

|0) CO m = ^k\e k )A ® ® \U)C, (1) 

and 

|l)com = v^k\e k y A ® ® \u)c, (2) 

where \ek)A and |e/s)^ are two orthonormal bases of Ha 
and \4>kjB is an orthonormal basis of Hb- 

3 As stated earlier, any probabilistic scheme can be rephrased as 
a deterministic one by considering the state of the combined system 
of the quantum dice and the original system. 
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The key observation is that these two states are related 
by a unitary transformation acting on Ha alone! Conse- 
quently Alice can make a fake commitment and change 
the value of 6 in the beginning of step (c). For exam- 
ple, she may proceed as follows: First, Alice always takes 
6 = in step (a) and goes through step (b). It is only in 
the beginning of step (c) that Alice decides on the actual 
value of b that she wishes to open. If she decides 6 = 
now, she can go through step (c) honestly. If she wishes 
to change the value of b from to 1, she simply applies 
a unitary transformation to rotate her state from |0) com 
to |l) C om before going through step (c). Since the uni- 
tary transformation acts on Ha alone, Bob clearly has no 
way of knowing Alice's dishonesty.^] In conclusion, pro- 
vided that Alice possesses quantum computers and quan- 
tum storage devices, our results show that all quantum 
bit commitment schemes are insecure because Alice can 
cheat successfully by using an EPR-type of attack. 

2.3 Non-ideal bit commitment 

In our above discussion, we have assumed that the bit 
commitment scheme is ideal in the sense that Bob has 
absolutely no information about the value of b at the end 
of step (b). This is the physical reason behind the math- 
ematical statement that p™ 111 = Tr^ (|0) com (0| CO m) = 
T^A (|l)com(l|com) = Pi° m - (i.e., the two density matrices 
corresponding to the two cases 6 = and 6=1 are iden- 
tical.) However, in realistic applications, one might allow 
Bob to have a very tiny amount of information about 6 at 
that time. It is intuitively obvious that this is not going 
to change our conclusion. On the one hand, if Bob has a 
large probability of distinguishing between the two states 
corresponding to 6 = and 6 = 1 at the end of step (b) , 
the scheme is inherently unsafe against Bob. On the other 
hand, if Bob has a small probability of distinguishing be- 
tween the two states, then clearly, the density matrices 
p c om = Tr A (|0) com (0| com ) and pf m = Tr A (|l) com (l| com ) 
must be close to each other in some sense. We have seen 
in the last subsection that when the two density matri- 
ces are identical, Alice can always cheat successfully. It 
is, therefore, at least highly suggestive that, when the two 
density matrices are only slightly different, Alice will have 
a probability close to 1 of cheating successfully. A detailed 
calculation, which will be sketched briefly in the next sub- 
section, shows that this is indeed the case. Therefore, even 

4 What is the problem with quantum bit commitment? Here is an 
analogy. Suppose that there are two novels whose first halves are the 
same, but the second halves are different. I give you only the first 
half of one of the two novels and I tell you that I have committed 
to a particular novel and that I cannot change it anymore. Will you 
trust me? Of course not. Since the first halves of the two novels are 
the same, no real commitment has been made. I am free to give you 
the second half of either novel and claim that I have committed to 
either one all along. There is no way for you to tell whether I am 
lying. 



non-ideal bit commitment schemes are necessarily highly 
insecure. 

2.4 Fidelity 

In this subsection, following Mayers |l9), we sketch the 
mathematical proof of the insecurity of non-ideal quan- 
tum bit commitment scheme. Readers who are uninter- 
ested in mathematical details may skip this subsection on 
first reading. The price that they have to pay is to take 
Eqs. (Q) and (||) for granted. 

First of all, the fidelity jll], |l4| between two density 
matrices po and p\ of a system B is defined as 

F(p ,p 1 )=Tr^p 1 1 /2 p p 1 1 /2 . (3) 

< F < 1. F = 1 if and only if p = p\. Returning to 
the case of non-ideal bit commitment that we have been 
considering, the fact that Bob has a small probability for 
distinguishing between two states pg om and pf m implies 
that the fidelity F {pl° m , p\ am ) is very close to 1. i.e., 

W m Pi° m ) = l-^ (4) 

where 8 is small. 

An alternative and equivalent definition of fidelity in- 
volves the concept of purification. Imagine another sys- 
tem E attached to our given system B. There are many 
pure states |i/>o} and on the composite system such 
that 

T±E{\ik)(M)=Pa and TM|ViWi|) = Pi. (5) 

The pure states |^o) and are called the purifications 
of the density matrices po and p\. The fidelity can be 
defined as 

F (po,Pi) = max|(-0o|^i)l (6) 

where the maximization is over all possible purifications. 
We remark that for any fixed purification of pi, there 
exists a maximally parallel purification of po satisfying 
Eq. (|). 

Let us go back to a non-ideal quantum bit commitment 
scheme. We take E to be the combined system of Alice's 
machine A and the channel C. It follows from Eqs. (^]) 
and (^|) that, for the state |l) CO m which is a purification 
of p1 om , there exist a purification \4>o)abc of pQ° m such 
that 

\(M^com\=F(p^,pt oin ) = l-S. (7) 

The strategy of a cheating Alice is the same as in the 
ideal case. She always prepares the state |0) correspond- 
ing to 6 = in step (a) and goes through step (b). She 
decides on the value of 6 she likes only in the beginning 
of the step (c). If she chooses 6 = 0, of course, she can 
just follow the rule. If she chooses 6=1, she applies 
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a unitary transformation to obtain the state \4>q)abc m 
H = Ha €5 Hb <8 He- Notice that if she had been honest, 
the state would have been |l) CO m instead. Since \4>o)abc 
and |l) CO m are so similar to each other (See Eq. (0).), Bob 
clearly has a hard time in detecting the dishonesty of Al- 
ice. Therefore, Alice can cheat successfully with a very 
large probability. 

Yet another equivalent definition of the fidelity, which 
will be useful in the next section, can be given in terms of 
positive-operator- valued- measures (POVMs). A POVM 
is a set {-E^} of positive operators (i.e., Hcrmitian oper- 
ators with non-negative eigenvalues) that satisfy a sort 
of completeness relation (i.e., J2b-^ b ec l ua l s the identity 
operator). A POVM simply represents the most general 
measurement that can be performed on a system. More 
concretely, it is implemented by a) placing the system in 
contact with an auxiliary system or ancilla prepared in 
a standard state, b) evolving the two by a unitary oper- 
ator, and c) performing an ordinary von Neumann mea- 
surement on the ancilla. In terms of POVMs, the fidelity 
is defined as 

F(po, Pl ) = minJ2\/^PoE b \/Tr Pl E b , (8) 

b 

where the minimization is over all POVMs, {Eb}- Eq. (]|) 
will be useful in the next section. 

3 Quantum coin tossing 

Suppose that Alice and Bob are having a divorce and that 
they are living far away from each other. They would like 
to decide by a coin flip over the telephone who is going 
to keep the house. Of course, if one of them is tossing a 
real coin, there is no way for the other to tell if he/she is 
cheating. Therefore, there must be something else that 
is simulating the coin flip. Just like bit commitment, 
coin tossing can be done in classical cryptography either 
through trusted intermediaries or by accepting some un- 
proven cryptographic assumptions. The question is: Can 
quantum mechanics help to remove those requirements? 
In other words, do coin tossing schemes whose security is 
based solely on the law of quantum physics exist? 

Notice that a secure bit commitment protocol can be 
used trivially to implement a secure coin tossing protocol^] 
but the converse is not true. Coin tossing is a weaker pro- 
tocol for which we have a weaker result — ideal quantum 
coin tossing schemes do not exist. We define an ideal coin 
tossing scheme as one that satisfies the following require- 
ments:^] 

5 Alice chooses a bit and commits it to Bob. Bob simply tells 
Alice his guess for her bit. Alice then opens her commitment to see 
if Bob has guessed correctly. 

6 We gratefully thank Goldenberg and Mayers for many discus- 
sions which are very helpful for sharpening and clarifying our ideas. 



1) At the end of the coin tossing scheme, there are three 
possible outcomes: '0', '1' or 'invalid'. 

2) Both users know which outcome occurs. 

3) If the outcomes '0' or '1' occur, Alice and Bob can be 
sure that they occur with precisely the (non-zero) proba- 
bilities, say 1/2 each, prescribed by the protocol. 

4) If both users are honest, the outcome 'invalid' will 
never occur. 

In other words, in an idea] coin tossing scheme, both 
parties will always agree with each other on the outcome. 
There is no room for dispute. Also, cheating in an ideal 
coin tossing will only lead to a non-vanishing probability 
for the occurence of 'invalid' as an outcome, but will not 
change the relative probability of occurence of '0' and '1'. 
Most coin tossing schemes are non-ideal. However, any 
non-ideal quantum coin tossing scheme can be regarded 
as an approximation to an ideal scheme. Investigations 
of the ideal scheme may, therefore, shed some lights on 
those more realistic, but non-ideal, ones. To show that 
ideal quantum coin tossing is impossible, we first prove 
the following Lemma. 

Lemma: Given that Alice and Bob initially share no en- 
tangled quantum states, they cannot achieve ideal quan- 
tum coin tossing without any further communication be- 
tween each other. 

Proof: An ideal coin tossing scheme will give Alice 
and Bob non-zero mutual information. However, with- 
out prior classical communication, the maximal amount 
of mutual information that can be gained by Alice and 
Bob through local operations on shared entangled quan- 
tum states is bounded by the entropy of formation. In the 
absence of entanglement, they cannot share any mutual 
information. Hence, coin tossing without prior commu- 
nication nor shared entangled quantum states must be 
impossible. 

Now we come to the main theorem. 

Theorem: Given that Alice and Bob initially share no 
entangled quantum states, idea] quantum coin tossing is 
impossible. 

Proof. The idea of our proof is simple. We prove by 
contradiction using backward induction. Let us assume 
that an ideal quantum coin tossing can be done with a 
fixed and finite number, N, rounds of communication be- 
tween Alice and Bob. We will prove that it can be done 
in N — 1 rounds. By repeated induction, it can be done 
without any communication between Alice and Bob at all. 
This is impossible because of the above Lemma. 

The induction step from N rounds to N — 1 rounds: 
Suppose that there exists an ideal quantum coin tossing 
protocol which involves N alternate rounds of communi- 
cation between Alice and Bob. We need to prove that 
an ideal quantum coin tossing protocol with only N — 1 
rounds exists. Let us concentrate on the N-th round of the 
communication. Without much loss of generality, assume 
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that it is Alice's turn to send quantum signals through the 
channel C in the N-th round. As this is the last round, 
by the definition of ideal coin tossing, Alice can perform 
a measurement and determine the outcome, 0, 1 or 'in- 
valid', before sending out the last round signals to Bob. 
Notice that Alice should have no objection against elimi- 
nating the N-th round altogether because she has nothing 
to gain in sending the last round signals (other than con- 
vincing Bob of the outcome) . On the other hand, Bob is 
supposed to learn the outcome of the coin tossing through 
the combined state in Hb^Hc- However, Alice, who has 
already known the outcome herself, may attempt to alter 
Bob's outcome by changing the mixed state in He that 
she is sending through the channel. This is essentially the 
same strategy of cheating as in the case of quantum bit 
commitment discussed earlier. 

For the three possible outcomes in Alice's measurement, 
0, 1 and 'invalid', let us denote the corresponding den- 
sity matrices in Bob's control before the receipt of the 
A-th round signals by p B , pf and p^ lva i id respectively 
Alice's ability of cheating successfully against an honest 
Bob depends on the values of the fidelities F(p B ,pf), 

f (Po^«d) and F (P? >PiLuid)- Here for simplicity, we 
assume that there is a single pure state corresponding 
to the outcome 'invalid'. However, our arguments are 
general. For ideal quantum coin tossing, we demand the 
probability of Alice cheating successfully should be ex- 
actly zero. This implies, with the definition of fidelity 
in Eq. §, that F(p B ,pf) = 0, F(p B ,p B vaVl ^ = and 

W./Caiid) = °- :t then follows from E q- I) that Po> 
pf and Pj^vaiid have orthogonal supports and can be com- 
pletely distinguished from one another even without the 
last round of transmission from Alice. Hence, even Bob 
has nothing to gain from the last round of communica- 
tion. A truncated ideal coin tossing scheme with only 
N — 1 rounds of communication must, therefore, be as se- 
cure as the original A-round scheme. This completes our 
inductive argument and we conclude that ideal quantum 
coin tossing is impossible. 

Unlike quantum bit commitment, for quantum coin 
tossing, there is no simple way to generalize our proof 
of the impossibility of the ideal scheme the non-ideal 
schemes. This is surprising because no such distinction 
has been previously noted in the literature. As far as 
we know, all previously proposed quantum coin tossing 
schemes are based on quantum bit commitment schemes. 
The security of non-ideal quantum coin tossing should be 
an important subject for future investigations. We hope 
that our investigation for the ideal case will shed light on 
the subtleties in the non-ideal case. 



4 A constraint on two-party se- 
cure computation 

Let us consider the issue of two-party secure computation 
in a more general setting. The idea of two-party secure 
computation is the following: Alice has a secret x and Bob 
has another secret y. Both would like to know the result 
f{x,y) at the end of a computation and be sure that the 
result is correct. However, neither side wishes the other 
side to learn more about its own secret than what can be 
deduced from the output f(x,y). As mentioned earlier, 
classical cryptographic schemes can implement two-party 
secure computation at the cost of introducing trusted 
intermediaries or accepting unproven cryptographic as- 
sumptions. Our results in the last two sections strongly 
suggest that, in principle at least, quantum cryptography 
would not be useful for getting rid of those requirements 
in two-party secure computation. Even if quantum me- 
chanics does not help, one may ask if there is any way 
of implementing a two-party computation that is secure 
from an information-theoretic point of view? In partic- 
ular, if quantum mechanics turned out to be wrong and 
were replaced by a new physical theory, would it be con- 
ceivable that two-party secure computation can be done in 
this new theory? Here we argue that if Alice and Bob are 
shameless enough to declare their dishonesty and stop the 
computation whenever one of them has a slightest advan- 
tage over the other in the amount of mutual information 
he/she has on the function f(x,y), a two-party secure 
computation can never be implemented. 

For simplicity, let us normalize everything and assume 
that initially both Alice and Bob have no information 
about f(x,y) and at the end of the computation, both 
have 1 bit of information about f(x,y). Let us suppose 
further than Alice and Bob are unkind enough to stop the 
computation whenever one of them has an e bit of infor- 
mation more than the other. Any realistic scheme must 
involve a finite number say A alternate rounds of commu- 
nication between Alice and Bob. An analogy is that two 
persons, Alice and Bob, are walking in discrete alternate 
steps from the starting point to the finishing line set at 
1. Altogether N steps are made and it is demanded that 
Alice and Bob will never be separated from each other 
for more than a distance e.f\ Clearly, this implies Ne > 1 
or A > 1/e. Therefore, the smaller the tolerable rela- 
tive informational advantage e is, the larger the number 
of rounds of communication N is needed. Notice that the 
constraint Ne > 1 applies to any two-party secure com- 

7 Actually, there is a minor subtlety in quantum cryptography. 
Each time when one user, say Alice, advances, the other user, say 
Bob, may slip backwards. The point is: the quantum "no-cloning 
theorem" states that quantum signals cannot be copied. When Bob 
sends signals to Alice, he loses control over the signals that he sends. 
In other words, Bob's available information tends to decrease when- 
ever he sends signals to Alice. 
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putation scheme. In particular, it remains valid even if 
quantum mechanics is wrong. 

It may also be of some interest to speculate that a simi- 
lar inequality Ne > 0(1) may hold for non- ideal quantum 
coin tossing schemes where N is the number of rounds of 
communication and e is the probability that a user cheats 
successfully. Consequently, as e — > 0, N — > oo and ideal 
quantum coin tossing with finite rounds of communication 
becomes impossible. 



5 Summary 

We have shown that all realistic quantum bit commitment 
and ideal quantum coin tossing protocols are, in princi- 
ple, insecure. The basic problem is that the users can 
cheat using an EPR-type of attack. Our results totally 
contradict well-known claims of "provably unbreakable" 
schemes in the literature, whose analyses on EPR attack 
were flawed, and provide strong evidence against the se- 
curity of quantum cryptography in "post-cold- war" appli- 
cations, at least in principle. The early optimism in the 
subject is, therefore, misplaced. Nevertheless, quantum 
bit commitment schemes that are secure in practice may 
still exislQ because it is notoriously difficult for cheaters 
with current technology to store quantum signals for an 
arbitrary length of time. A more serious consideration is 
the following. In order to cheat successfully, a cheater may 
need a quantum computer, but such a computer is not 
yet available with current technology. Therefore, we can 
trade the traditional complexity assumption with an as- 
sumption on the inability of the cheater to store quantum 
signals for a long period of time and to build and operate 
a quantum computer. This subject deserves further in- 
vestigations. Another important unsolved problem is the 
security of non-ideal quantum coin tossing. Finally, we re- 
mark that, thanks to the quantum "no-cloning" theorem, 
the security of quantum key distribution^, [If], [18], is 
widely accepted and quantum cryptography is useful at 
least for this purpose. We expect that quantum key dis- 
tribution will remain a fertile subject for years to come. 
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